Biometrics - Legal Update

The Biometric Processing Privacy Code 2025 (Privacy Code) came into force on 3 November 2025.

▶️ What is the Privacy Code?

It is a set of rules issued by the Privacy Commissioner that apply to all entities that collect biometric information for processing by a biometric system technology.

The Privacy Code sets out 13 rules that must be followed for any biometric processing about individuals, these rules replace the privacy principles in the Privacy Act 2020.

▶️ What is Biometric Information?

Biometric information is personal information relating to physical characteristics of an individual including facial, fingerprints, voice/sounds, as well as how they move or perform tasks physically.

▶️ Exclusions

The rules do not apply to health agencies in respect of health biometric information which are bound by the Health Information Privacy Code 2020. Intelligence and security agencies are also excluded from the application of some of the rules. The rules generally do not apply to personal consumer devices like smartwatches.

▶️ What does this mean for employers?

Entities already undertaking biometric processing will have until 3 August 2025 to comply with the rules. Otherwise any new biometric processing activities will need to comply immediately.

▶️ How we can help

For any businesses undertaking biometric processing you will need to thoroughly review your processes against the guidance from the Privacy Commissioner. We can assist with reviewing and updating your Privacy Policies and consultation / communication with your staff.

These comments are general in nature, and are not intended to constitute legal advice. For any employment queries or if you would like us to review and update your employment agreements in line with the changes, contact Catherine Pendleton. law@turnerhopkins.co.nz